Why

Staying up-to-date is key, especially regarding mobile security. We have the chance to do it all together in the same place! In this 5 day-continuous sprint, we want to make the MSTG greater than ever! To do this, there are streams that will require constant attention: the guide itself and the apps that we use for examples.

What

Get to share the latest Android and iOS security enhancements

The first stream is all about making the guide up to date with the latest security updates on iOS 12, Android 9 and 10:

iOS 12:

UIWebViews are officially deprecated

new AuthenticationServices and Network Frameworks

New Password AutoFill Framework for iOS and web apps

…

Android 9⁄10:

Scoped Storage: an isolated storage sandbox right on external storage device! The READ_ and WRITE_EXTERNAL_STORAGE permissions are being replaced with more fine-grained media specific permissions.

StrongBox Keymaster: an implementation of the Keymaster HAL that resides in a hardware security module.

You can now import encrypted keys securely into the Keystore using an ASN.1‑encoded key format.

…

This and much more that we or you might know about. Let’s make sure we extend the guide on best practices and what testers should look for in terms of bad practices.

The focus will be on issues identified for the 1.2 milestone of the MSTG, which you can find at Github.

Get your hands dirty with the Android and iOS crackmes

In the second stream, we want to focus on getting better crackmes and playground apps. In order to do this, there are a bunch of things we need to work on (in order of priority):

Upgrade the existing crackmes & apps to be compatible with the latest version of iOS and Android.

Ensure a proper build pipeline for the apps as part of the project so we can easily fix them.

Have newer detection mechanisms in the crackmes, for instance: make sure we have a crackme that effectively refuses to run on a rooted Android device (e.g. running Magisk)? Or make the app Frida-resilient. Or… whatever you like! Try to make cool challenging apps for other people. Just make sure it can be built and tested by the pipeline mentioned in 2.

In this stream you get the chance to work hand in hand with the Mobile Security team on the MSTG crackme apps. The defenders will make them secure (or intentionally leave some holes) and the attackers will prove they can crack them using the latest techniques and available tools.

About

The Open Security Summit 2019 is focused on the collaboration between, Developers and Application Security. Using the same model as the previous OWASP Summits, this 5-day event will be a high-energy experience, during which attendees get the chance to work and collaborate intensively.